Login/Register
How to pass the smart screen on Win8 when install a signed application?
Asked Answered
Solved c#windows-installer
D

9

86

We are developer, and we have a digital signed application installer. When we install this application, it popups out the smart screen which affects the installing experience. It says

Windows protected your PC

Windows SmartScreen prevented an unrecognized app from starting, Running this app might put your PC at risk.

I think Microsoft has some strategy to verify the application besides the digital signature. Has anyone has the experience for this issue and please give me some clue to fix this issue?

Dallon answered 7/9, 2012 at 3:9 Comment(1)
Does this answer your question? How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting warning"Passage
E
47

If you signed the installer with a purchased certificate from a CA, you are supposed to contact the CA for explanation on why they failed to work with Microsoft to get rid of this warning.

If the certificate is not from a CA, but a self-signed certificate, you will have to resort to a CA.

Microsoft has most information published on its Windows team blog already,

https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/

Best Practices

Developers should still follow the best practices we’ve suggested in past blog posts. We have added to that guidance the additional options of distributing apps thru the Windows Store and the option of EV code signing:

  • Distribute your apps through the Windows Store

Windows 8 Applications are required to pass the Windows Store developer onboarding and application review process. Windows 8 applications are not in scope for SmartScreen application reputation checks or warnings in Windows 8.

  • Digitally sign your programs (Standard or EV code signing)

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation.

At this time, Symantec and DigiCert are offering EV code signing certificates.

  • Don’t sign or distribute malicious code

Distributing code detected as malicious will remove the reputation from a file and also any reputation from the associated digital certificate – even if signed with an EV code signing certificate.

  • Apply for a Windows Logo or Windows 8 Desktop App Certification

Learn more about these programs here: Windows 8 Desktop App Certification (required for Windows Store submissions) Windows Logo Program

Eolith answered 7/9, 2012 at 5:59 Comment(2)
"If the certificate is not from a CA, but a self-signed certificate, you will have to resort to a CA." Through what sources of revenue should a hobbyist or micro-ISV recover the roughly $110 per year fee that CAs charge?Trochilus
"As we’ve discussed in the past, SmartScreen builds reputation for both individual programs and for the certificate used to sign that code." Quoted from the linked Microsoft blog post. Many open source projects rely on their reputation, while you can also ask for sponsorship around to cover the fees if you do want to sign.Eolith
D
48

We just went through the whole process of moving from an old Authenticode certificate to a new one (not an EV certificate, just a plain certificate that can be used in our automated build process).

Microsoft is no longer providing any means of transferring reputation from an existing certificate to a new one. So don't try to call their support. You'll just waste a lot of time and energy. And they won't be able to help.

Microsoft is claiming that if the old and new certificates have the same textual content, the reputation gets established faster. More specifically, here is the reply I got from the SmartScreen® Filter's Application Reputation feature support team:

Please note that whenever you renew a certificate with known reputation, you will likely see some warns during initial downloads of files signed with the renewed certificate. However, known reputation on the renewed certificate is typically established more rapidly than on a new certificate. While a renewed certificate establishes reputation, users can still click through to run or save the download. To do so, they select Actions | More Options | Run Anyway from Download Manager.

The best way to ensure that SmartScreen won't warn the users is to run the Windows App Certification Kit (WACK) which should be included in the Windows SDK download:

Windows App Certification Kit

After running the tests, WACK explains how to proceed:

Final Report - Validation passed

Upload the XML result of a successfull application certification to https://sysdev.microsoft.com. A few days later, SmartScreen will be aware of the digital signature used for the certified program and will no longer warn the users on download.

Note We were not able to certify our application on the latest updates of Windows 8.1 and we had to use a clean install of Windows 8.1 in order to get WACK to validate successfully all of our programs.

Didache answered 6/2, 2015 at 5:44 Comment(13)
I would like to mention that this process took me about 2 hours or so (maybe a little more) to complete. I'm not sure if the size of the project is a factor, but this isn't a 2 minute process.Eleazar
The WACK can be downloaded from here.Vet
This was super helpful. Thank youParticipation
This was very helpful, thank you so much. i want to add that when the xml is uploaded its taking you to a list of legal documents. The submission is still not visible in my cert manager, but i think this is a manual process and its just a matter of waiting until an agent signs off on your app.Virtue
For some reason it crashes all the time on windows 10 during report creationReligious
This was very helpful, thanks. Just a question: Do I really have to go through this each time I release a new version of my application (even if we always use the same cert)? Or is it enough to do once, and from that point on, our certificate will be on Microsoft's "good" list and Smart Screen won't be shown for future version? If I have to do it every time, o boy they don't make it easy..Funicle
Doing this once is OK for the certificate to be known by Microsoft. But even with such a registered certificate, Microsoft will only put it on its "good" list after a dozen machines have downloaded it (from what I could observe the last time our certificate changed).Didache
It seems MS retired sysdev.microsoft.com. Do you know where now to upload the file?Imbibition
It seems MS retired sysdev.microsoft.com. Do you know where now to upload the file?Leatherneck
The same problem like two other users, I can not upload xml reports as sysdev on ms site is dead. Where I should upload now?Irma
Win32 logo certification is deprecated techcommunity.microsoft.com/t5/windows-hardware-certification/…Theodora
Instead, submit files here: microsoft.com/en-us/wdsi/filesubmissionTheodora
That site seems to be for submitting malware samples, hardly seems like a good idea for submitting applications to be certified!Maidservant
E
47

If you signed the installer with a purchased certificate from a CA, you are supposed to contact the CA for explanation on why they failed to work with Microsoft to get rid of this warning.

If the certificate is not from a CA, but a self-signed certificate, you will have to resort to a CA.

Microsoft has most information published on its Windows team blog already,

https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/

Best Practices

Developers should still follow the best practices we’ve suggested in past blog posts. We have added to that guidance the additional options of distributing apps thru the Windows Store and the option of EV code signing:

  • Distribute your apps through the Windows Store

Windows 8 Applications are required to pass the Windows Store developer onboarding and application review process. Windows 8 applications are not in scope for SmartScreen application reputation checks or warnings in Windows 8.

  • Digitally sign your programs (Standard or EV code signing)

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation.

At this time, Symantec and DigiCert are offering EV code signing certificates.

  • Don’t sign or distribute malicious code

Distributing code detected as malicious will remove the reputation from a file and also any reputation from the associated digital certificate – even if signed with an EV code signing certificate.

  • Apply for a Windows Logo or Windows 8 Desktop App Certification

Learn more about these programs here: Windows 8 Desktop App Certification (required for Windows Store submissions) Windows Logo Program

Eolith answered 7/9, 2012 at 5:59 Comment(2)
"If the certificate is not from a CA, but a self-signed certificate, you will have to resort to a CA." Through what sources of revenue should a hobbyist or micro-ISV recover the roughly $110 per year fee that CAs charge?Trochilus
"As we’ve discussed in the past, SmartScreen builds reputation for both individual programs and for the certificate used to sign that code." Quoted from the linked Microsoft blog post. Many open source projects rely on their reputation, while you can also ask for sponsorship around to cover the fees if you do want to sign.Eolith
E
16

I have been searching for a while, so I'll share what I've found so far.

I haven't found any documentation about this feature in Windows 8 from Microsoft, but I may just be looking in the wrong places.

Most of the articles I read discuss that the SmartScreen Filter works as follows:

  • Before running an installer or executable that was downloaded, Windows 8 consults with a database.
  • The database can report whether or not that program has been:
    • reported as malicious/phishing, (and verified by a Microsoft Employee).
    • used/run by many people.

If enough people have run that installer, without reporting it as malicious, eventually that program will be flagged as safe, and other users will not receive the annoying message.

some sources: (here) (here)

The information sent to Microsoft when a user installs a program includes IP address, a hash of the installer and digital signature, and possibly the filename of the application. (see here)

Microsoft employees would have direct access to the database to add and flag safe all Microsoft applications.

Perhaps Microsoft has set up a way to pre-certify your installer with them, if not you may just need to wait until enough people run the installer. (but not sure how many that would be).

Ecclesiology answered 7/9, 2012 at 6:3 Comment(1)
The link to log.nadim.cc/?p=78 is broken and even the Way Back Machine does not reveal any content. Are there any alternative locations for the content?Vet
M
14

I just went through this process, and I'll add some tidbits of info to this.

1) Get an EV. It's worth it. Next time you upgrade your certificates, upgrade to an EV certificate. The price is about $100 more per year. EV certificates are considered more secure, because they are harder to steal. When issued to you, a hardware token device will be issued to you to complete the sign. Unfortunately, the final sign is not compatible with automated builds.

It's not as terrible as it sounds. They will provide you a second certificate to sign your executables (inside the installer) which remains compatible with automation. The signature on the installer must be signed in conjunction with the hardware token.

2) If you don't want to get an EV certificate, you need reputation. If you're upgrading, Microsoft will transfer the reputation from your old certificate to your new one. You must contact MSDN tech support and in about a week it'll be done. I submitted my old and new installers -- with old and new certificates -- and they fixed it.

3) If this is your first certificate, you're stuck with SmartScreen until you get reputation. You probably should get your app certified through sysdev.microsoft.com. But, it's not really known how many downloads you need before you earn a positive reputation with Microsoft.

That's my experience.

Menfolk answered 1/10, 2013 at 4:15 Comment(4)
Could you please tell me, where to submit an app to transfer the reputation of my old certificate?Undulation
I used my MSDN subscription to make a developer support request.Menfolk
I've just gone through the whole process with Microsoft. Apparently, MSDN tech support is no longer providing any assitance on this topic. You really need to establish some reputation in order to make the SmartScreen warnings go away. The simplest one would be to verify your app with the Windows App Cert Kit and then upload the results to sysdev.microsoft.com.Didache
Are EVs even available to individuals, as opposed to corporations? And what steps should a hobbyist take to raise the money for one?Trochilus
S
5

Since Windows 8.1 is out.

  • Microsoft deactivated all Standard Code Signing Certificates to be trusted when you download them via internet to your PC and trying to install them, but Standard Code Signing Certificates application works if you distribute your application via USB or CD-ROM.

  • Do not use the signtool.exe to verify (signtool.exe verify /pa mysetup.exe will show success but it will fail when other users will download it and try to install a SmartScreen popup will keep showing up)

Use Windows App Certification Kit (WACK)

enter image description here

  • This standard code signing certificates are dead. Means if you have standard code signing certificate it wont work anymore reliably like it was in past, even though Windows App Certification Kit (WACK) shows PASS with WARNING, does not mean its 100% verify success

enter image description here

You have to purchase EV certificate (https://www.globalsign.com/en/code-signing/)

So, to be 100% success, Follow the spoon feed:

Step 1: go to https://sysdev.microsoft.com and login

a) Create a company account > next

b) Download winqual.exe file which is as zip file provided by microsoft, now sign the winqual.exe with your standard certificate or EV certificate and then click next to upload the file for validation.

In my case it failed because i have standard certificate which Microsoft stop allowing anymore. So all of you have to do now is to buy EV license else you are screwed, and can spend your lifetime solving this problem without any clue.

enter image description here

Stillman answered 15/3, 2015 at 23:41 Comment(2)
This is for drivers development.Coheir
So everybody needs to buy that certificate which costs $290 per year to avoid smartscreen ?Roll
D
4

I have tested the EV cert solution and it does work.

Sadly, I will also mention that EV certs are incompatible with TeamBuild which executes signing under the context of a service. EV certs require a hardware token that interfaces with the Cryptographic Service Provider that is provided by SafeNet, Inc for use with all authorized EV cert vendors (VeriSign and DigiCert).

When signing occurs the drivers from Safenet will prompt for a password which is somewhat incompatible with executing under the context of a service. Additionally, Safenet provides protection that prevents signing from anything but the actual console. You cannot even sign from within a remote desktop session. So, signing from within Teambuild is problematic at best and not possible at worst.

I have worked with Microsoft and they have not been able to provide a workaround for signing or any other way to achieve instant reputation under SmartScreen.

Danieledaniell answered 30/7, 2013 at 16:58 Comment(0)
T
1

Unfortunately I don't have enough rep to simply comment on one of the above answers. However, if you specify partial trust for your published app (I chose Internet zone) and have a code signing cert in place, no smart screen warning is displayed (checked on Win10).

Triazine answered 24/8, 2015 at 12:34 Comment(0)
T
1

I sign my application in an automated manner using an EV certificate on a token ( GlobalSign ) . Use a .bat file. in the ".bat" file , type ex: (For sha1)

SignTool.exe sign /n "Exact Enterprise name in the cert - token" /t "http://timestamp.globalsign.com/scripts/timstamp.dll" "c:\Patch_to_file\Filename.exe"

The "Exact Enterprise name in the cert - token" should be the exact name that is in the certificate ( token)

Tragus answered 14/4, 2016 at 17:29 Comment(1)
And did it remove the smartscreen dialog ?Roll
B
1

"The version of the file is not compatible with the version of windows you're running". Under Windows 2008 server there is no 'More Info" button to choose to install anyway.

As we develop windows desktop software (not 'Apps') using non-Microsoft products (Delphi), and use Innosetup for our installer, the app validation is meaningless. It sits there for 30 minutes doing nothing, we simply start the app, then close the app manually, and it generates a pass report.

We code sign all our releases and every executable within them.

When we upload the XML to Microsoft, the certified XML sits on a site unrelated to our main developer account, with no way to publish it to the Microsoft Store. 45 minutes wasted per application.

Biomass answered 1/8, 2016 at 6:13 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.